Ahead of Equifax’s former Chief Executive Richard Smith’s testimony to Congress, the embattled credit scoring company said an additional 2.5 million customers may have been impacted by its massive data breach.
Bloomberg, citing the company, reported that with this latest disclosure the number of people potentially impacted by the breach is now at 145.5 million, up from 143 million. When the company first revealed the data breach it also said 209,000 credit card account numbers may have also been compromised. The new disclosure came after Mandiant, the firm investigating the breach, concluded its investigation and is about to issue results “promptly.” Equifax also plans to update its notification for consumers that want to check if they were impacted by Oct. 8. The company noted that the breach only affected 8,000 Canadians, a lot lower than the 100,000 it previously said could have been compromised, reported Bloomberg.
The latest revelations comes as Equifax’s former CEO Smith, who was forced to retire in the wake of the massive data breach, will apologize for the hack and lay out what went wrong in testimony in front of Congress on Tuesday (Oct. 3).
According to news in The Los Angeles Times, citing the prepared remarks Smith is expected to deliver, the former Equifax CEO will also lay out how the credit scoring company responded to the breach that put the personal data of 143 million people at risk and exposed the credit card account numbers of 209,000 customers.
“Equifax was entrusted with Americans’ private data, and we let them down,” Richard Smith said in written testimony for the hearing, which will be in front of the House Energy and Commerce Committee, reported the Los Angeles Times. “To each and every person affected by this breach, I am deeply sorry that this occurred.”
According to the written testimony, the executive cited human error and technology failures for the data breach and called the company a victim. “The company failed to prevent sensitive information from falling into the hands of wrongdoers,” he reportedly said in the remarks on the cybercrime. “The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us.”
According to the Los Angeles Times, Smith also said he was disappointed with a website that was launched to deal with the hack as well as the response from call centers. He said the company initially struggled to help consumers whose personal data was exposed.
In laying out what happened and when the company knew about it, Smith said in the prepared remarks that the cybercrime began on March 8, which is when the Department of Homeland Security’s Computer Emergency Readiness Team warned Equifax and other companies they needed to patch a vulnerability in their software. Smith said the company sent emails about the potential for a hack from Homeland Security to those employees who are in charge of the software. And yet, the vulnerable versions of the software went unpatched.
“Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” Smith said.